Solved: Get data from the last 2 business days

younesboumaaz · ‎02-11-2021

I'm setting an alert that will run everdy business day at 9AM and triggers only if the sum of a field is 0 for 2 consecutive business day.

To do that, I want to set my time range for my search to return events from the last two business days.

For example, if it is Monday, it will return data for Thursday and Friday, if it is Tuesday, it will return data for Friday and Monday.

I tried to use "earliest" and "latest" at the beginning of my search but I can't get it to work....

Any Help would be welcome ! 🙂

younesboumaaz · ‎02-15-2021

Thank you for your response! Indeed, it would work if only date_wday was in my data... But no worries, it inspired me, and I worked on it to finally find a solution!

I've set my time range to "6 last days" :

index=yourindex
| timechart span=1d sum(NbrHashOK) as sommehash 
| fillnull value=0 sommehash 
| eval 
Jour=strftime(_time, "%A %d %B %Y"),
day_of_week = strftime(_time,"%A"),
now=strftime(now(),"%A") , 
test=case(now="Monday" AND (day_of_week="Thursday" OR day_of_week="Friday"),"OK",
now="Tuesday" AND (day_of_week="Friday" OR day_of_week="Monday"),"OK",
now="Wednesday" AND (day_of_week="Monday" OR day_of_week="Tuesday"),"OK",
now="Thursday" AND (day_of_week="Tuesday" OR day_of_week="Wednesday"),"OK",
now="Friday" AND (day_of_week="Wednesday" OR day_of_week="Thursday"),"OK",
1=1,0) 
| where test="OK" 
| stats sum(sommehash) as test_sommehash values(Jour) as jour

View solution in original post

lydiapal_splunk · ‎02-13-2021

Hi!

Here's a solution that will work if your data has the default field "date_wday" extracted (see docs here). Although it is a default field (extracted automatically), you should read the docs before using this field. If this field is not available, you would need some other logic to determine the weekday for each event.

index=yourindex earliest=-4d@d latest=-0d@d date_wday IN ("monday","tuesday","wednesday","thursday","friday")
| eventstats latest(date_wday) as last_weekday
| eval previous_working_day=case(last_weekday="monday","friday",last_weekday="tuesday","monday",last_weekday="wednesday","tuesday",last_weekday="thursday","wednesday",last_weekday="friday","thursday")
| where date_wday=last_weekday OR date_wday=previous_working_day
... rest of your search...

Basically the search will look back last 4 full days (as on Monday it will have to look back for Thursday-Friday).

It will filter to only look at weekdays, determine last week day, and based on this, determine the previous week day. Then it will filter to only show those last two weekdays.

Hope this helps! 😊

Phoebe

younesboumaaz · ‎02-15-2021

Thank you for your response! Indeed, it would work if only date_wday was in my data... But no worries, it inspired me, and I worked on it to finally find a solution!

I've set my time range to "6 last days" :

index=yourindex
| timechart span=1d sum(NbrHashOK) as sommehash 
| fillnull value=0 sommehash 
| eval 
Jour=strftime(_time, "%A %d %B %Y"),
day_of_week = strftime(_time,"%A"),
now=strftime(now(),"%A") , 
test=case(now="Monday" AND (day_of_week="Thursday" OR day_of_week="Friday"),"OK",
now="Tuesday" AND (day_of_week="Friday" OR day_of_week="Monday"),"OK",
now="Wednesday" AND (day_of_week="Monday" OR day_of_week="Tuesday"),"OK",
now="Thursday" AND (day_of_week="Tuesday" OR day_of_week="Wednesday"),"OK",
now="Friday" AND (day_of_week="Wednesday" OR day_of_week="Thursday"),"OK",
1=1,0) 
| where test="OK" 
| stats sum(sommehash) as test_sommehash values(Jour) as jour

lydiapal_splunk · ‎02-13-2021

Also to note that there must be events on the "last working day" for this search to work.

Get data from the last 2 business days

other

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms